The only patch from Microsoft Updates that is automatically available and fixes it these days is MS10-088, which is for CVE-2010-2572. However MS10-088 replacedearlier patches, including MS09-017 ( CVE-2009-0556 ). CVE-2009-0556 was used a in a lot in malicious attachments in the past

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.